Mitigating Unencrypted Amazon EFS File Systems: Efficient Encryption Solutions

Efficient Encryption Solutions for Amazon EFS File Systems

Question

A financial institution is planning to use Amazon EFS for its business-critical data storage.

The latest security audit found that some of the Amazon EFS file systems are unencrypted.

To mitigate this issue, the Security Team has been instructed to implement a policy that will permit only encrypted file systems to be launched.

Also, as an additional security measure, all data in transit should be encrypted. Which of the following can be efficiently implemented for encryption?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: B.

For encrypting data at transit for Amazon EFS, using mount helper is the simplest way.

To enforce the creation of only encrypted Amazon EFS file systems, IAM conditional key elasticfilesystem:Encrypted can be used to make sure only encrypted file systems are created.

Option A is incorrect as IAM conditional key efs:Encrypted is an invalid option for encryption of data at rest for Amazon EFS.

Option C is incorrect as Amazon EFS mount helper is used for encrypting data in transit & not for encryption at rest in the case of Amazon EFS.

Option D is incorrect as installing a stunnel is a complex way of enabling encryption in transit for Amazon EFS.

For more information on encryption with Amazon EFS, refer to the following URLs,

https://docs.aws.amazon.com/efs/latest/ug/encryption-in-transit.html https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html

The correct answer is A. Use IAM conditional key efs:Encrypted to enforce the creation of encrypted file system at rest and use Amazon EFS mount helper for encryption in transit.

Explanation: Amazon Elastic File System (Amazon EFS) is a fully managed file storage service that provides simple, scalable file storage for use with Amazon EC2 instances in the AWS Cloud. Amazon EFS file systems can be encrypted using AWS Key Management Service (KMS) keys.

To enforce the creation of encrypted file systems, an IAM conditional key can be used. IAM conditional keys allow fine-grained control over AWS resources based on specific conditions. In this case, the IAM conditional key efs:Encrypted can be used to ensure that only encrypted file systems are launched.

Encryption of data in transit can be achieved using the Amazon EFS mount helper. The Amazon EFS mount helper is a client-side tool that simplifies mounting and managing EFS file systems on Linux instances. It supports encryption of data in transit by encrypting traffic using Transport Layer Security (TLS).

Option B is incorrect as the correct IAM conditional key to enforce the creation of encrypted file systems is efs:Encrypted, not elasticfilesystem:Encrypted.

Option C is incorrect because the Amazon EFS mount helper can be used for encryption in transit, but it cannot enforce the creation of encrypted file systems. An IAM conditional key is required for this purpose.

Option D is incorrect because while stunnel can be used to encrypt data in transit, it is not a recommended or supported method for encrypting Amazon EFS traffic. The Amazon EFS mount helper should be used for encryption in transit.